Re: Solved one, new problem - RE: SSL Connection problems

[D.M.Lewney@sussex.ac.uk (Dave Lewney)]

"Doyon, Jean-Francois" wrote:
> 
> Dave,
> 
> Aha, finally, figured it out :) I just discoevred the tip of using -d127
> with ldapsearch, and that gave me the missing piece of the puzzle.
> 
> Indeed, looks like the TLS subsystem not only wants the CN to match exactly
> the name *I* provide, but ALSO the name obtained from a reverse lookup!
> 
> Here's the problem now:
> 
> When I connect locally from the same box as the server, the TLS subsystem
> seems to reverse lookup only the hostname, as "grumbler" ... But from other
> machines, the hostname is "grumbler.ccrs.nrcan.gc.ca"! So now it seems like
> I can't have a certificate to satisfy both conditions! I can use "grumbler"
> in the certificate, but that will only work for connections that come from
> that same host, or from Netscape Directory SDK connections, that don't seem
> to look at the reverse lookup issue.  If I change the certificate to use the
> FQDN, how I can't do local connections, because it doesn't match "grumbler"
> ...
> 
> Oh and BTW the "hostname" command on the box does return the FQDN, not just
> "grumbler" ...
> 
> The chicken and the egg problem ...
> 
> Anybody have any ideas on how to get around this one?
> 
> Thanks,
> J.F.

Could this be something to do with a change in default config introduced
sometime ago? Make sure you configure with

--enable-rlookups


Dave
--
Dave Lewney
Principal Systems Programmer, Computing Service
University of Sussex, Brighton BN1 9QJ. Tel: 01273 678354 Fax: 01273
271956